DEV Community: Slavius

TIL: Java SpringBoot vs. Asp.Net REST API performance

Slavius — Sat, 10 Sep 2022 22:47:52 +0000

TIL: Java Spring boot vs. Asp.Net REST API performance

Today I learned (#til) something about Java SpringBoot and Asp.Net performance.

I was testing an upcoming .Net 7 release and its Minimal APIs and I was amazed by the speed. So I decided to compare it to Java 18 SpringBoot project.

The finding was that Asp.Net 7 solution is almost 2x as fast as SpringBoot application on Java 18!

Here are the results

Asp.Net 7 Minimal APIs delivers 4,084,163 requests in 30s compared to 2,152,070 request per 30s in case of SpringBoot Java 18 application!

Java 18 SpringBoot

$ k6 run --vus 16 --duration 30s config.json

          /\      |‾‾| /‾‾/   /‾‾/
     /\  /  \     |  |/  /   /  /
    /  \/    \    |     (   /   ‾‾\
   /          \   |  |\  \ |  (‾)  |
  / __________ \  |__| \__\ \_____/ .io

  execution: local
     script: config.json
     output: -

  scenarios: (100.00%) 1 scenario, 16 max VUs, 1m0s max duration (incl. graceful stop):
           * default: 16 looping VUs for 30s (gracefulStop: 30s)


running (0m30.0s), 00/16 VUs, 2152070 complete and 0 interrupted iterations
default ✓ [======================================] 16 VUs  30s

     data_received..................: 373 MB  12 MB/s
     data_sent......................: 392 MB  13 MB/s
     http_req_blocked...............: avg=1.61µs   min=441ns   med=942ns    max=2.39ms p(90)=1.53µs   p(95)=1.75µs
     http_req_connecting............: avg=308ns    min=0s      med=0s       max=1.55ms p(90)=0s       p(95)=0s
     http_req_duration..............: avg=180.65µs min=114.4µs med=170.42µs max=4.11ms p(90)=202.21µs p(95)=216.99µs
       { expected_response:true }...: avg=180.65µs min=114.4µs med=170.42µs max=4.11ms p(90)=202.21µs p(95)=216.99µs
     http_req_failed................: 0.00%   ✓ 0            ✗ 2152070
     http_req_receiving.............: avg=22.51µs  min=4.59µs  med=20.95µs  max=3.95ms p(90)=32.44µs  p(95)=39.5µs
     http_req_sending...............: avg=6.3µs    min=2.63µs  med=5.61µs   max=3.03ms p(90)=8.87µs   p(95)=9.59µs
     http_req_tls_handshaking.......: avg=0s       min=0s      med=0s       max=0s     p(90)=0s       p(95)=0s
     http_req_waiting...............: avg=151.83µs min=92.24µs med=142.39µs max=3.43ms p(90)=172.73µs p(95)=187.11µs
     http_reqs......................: 2152070 71733.676043/s
     iteration_duration.............: avg=218.91µs min=138.9µs med=207.65µs max=4.54ms p(90)=244.87µs p(95)=263.15µs
     iterations.....................: 2152070 71733.676043/s
     vus............................: 16      min=16         max=16
     vus_max........................: 16      min=16         max=16

Asp.Net 7

$ k6 run --vus 16 --duration 30s config.json

          /\      |‾‾| /‾‾/   /‾‾/
     /\  /  \     |  |/  /   /  /
    /  \/    \    |     (   /   ‾‾\
   /          \   |  |\  \ |  (‾)  |
  / __________ \  |__| \__\ \_____/ .io

  execution: local
     script: config.json
     output: -

  scenarios: (100.00%) 1 scenario, 16 max VUs, 1m0s max duration (incl. graceful stop):
           * default: 16 looping VUs for 30s (gracefulStop: 30s)


running (0m30.0s), 00/16 VUs, 4084163 complete and 0 interrupted iterations
default ✓ [======================================] 16 VUs  30s

     data_received..................: 845 MB  28 MB/s
     data_sent......................: 743 MB  25 MB/s
     http_req_blocked...............: avg=1.06µs   min=431ns   med=972ns    max=2.48ms p(90)=1.41µs   p(95)=1.62µs
     http_req_connecting............: avg=0ns      min=0s      med=0s       max=66.6µs p(90)=0s       p(95)=0s
     http_req_duration..............: avg=74.37µs  min=30.59µs med=67.84µs  max=7.33ms p(90)=91.37µs  p(95)=106.97µs
       { expected_response:true }...: avg=74.37µs  min=30.59µs med=67.84µs  max=7.33ms p(90)=91.37µs  p(95)=106.97µs
     http_req_failed................: 0.00%   ✓ 0             ✗ 4084163
     http_req_receiving.............: avg=13.64µs  min=4.43µs  med=12.72µs  max=7.05ms p(90)=17.75µs  p(95)=19.44µs
     http_req_sending...............: avg=6.36µs   min=2.77µs  med=5.96µs   max=5.83ms p(90)=8.24µs   p(95)=8.96µs
     http_req_tls_handshaking.......: avg=0s       min=0s      med=0s       max=0s     p(90)=0s       p(95)=0s
     http_req_waiting...............: avg=54.35µs  min=19.55µs med=48.45µs  max=5.34ms p(90)=70.1µs   p(95)=83.96µs
     http_reqs......................: 4084163 136135.973692/s
     iteration_duration.............: avg=113.11µs min=56.58µs med=105.71µs max=7.9ms  p(90)=133.41µs p(95)=153.52µs
     iterations.....................: 4084163 136135.973692/s
     vus............................: 16      min=16          max=16
     vus_max........................: 16      min=16          max=16

Details

The goal was to test simple HTTP POST API that takes JSON body, deserializes it, modifies the values and returns serialized JSON response back.

The request and response objects are identical but represented by different classes. Modification of data is simple concatenation of strings and addition to integer value.

For Asp.Net project a preview7 of .Net 7 was used, for Java counterpart a new SpringBoot project with spring-boot-starter-web and lombok as dependencies combined with Oracle OpenJDK 18.0.2.1

The code is as follows:

Java 18 SpringBoot

pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.7.3</version>
        <relativePath/> <!-- lookup parent from repository -->
    </parent>
    <groupId>com.example</groupId>
    <artifactId>RestApiDemo</artifactId>
    <version>0.0.1-SNAPSHOT</version>
    <name>RestApiDemo</name>
    <description>RestApiDemo</description>
    <properties>
        <java.version>18</java.version>
    </properties>
    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

        <dependency>
            <groupId>org.projectlombok</groupId>
            <artifactId>lombok</artifactId>
            <optional>true</optional>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
        </plugins>
    </build>

</project>

RestApiDemoApplication.java

package com.example.restapidemo;

import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

@SpringBootApplication
public class RestApiDemoApplication {

    public static void main(String[] args) {
        SpringApplication.run(RestApiDemoApplication.class, args);
    }

}

InputModel.java

package com.example.restapidemo;

import lombok.AllArgsConstructor;
import lombok.Getter;
import lombok.Setter;

@Getter
@Setter
@AllArgsConstructor
public final class InputModel {
    String FirstName;
    String LastName;
    Integer Age;
}

OutputModel.java

package com.example.restapidemo;

import lombok.AllArgsConstructor;
import lombok.Getter;
import lombok.Setter;

@Setter
@Getter
@AllArgsConstructor
public final class OutputModel {
    String FirstName;
    String LastName;
    Integer Age;
}

DemoController.java

package com.example.restapidemo;

import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class DemoController {

    @PostMapping("/get")
    @ResponseBody
    public OutputModel GetData(@RequestBody InputModel input) {
        return new OutputModel(input.FirstName + "x", input.LastName + "x", input.Age + 10);
    }
}

Asp.Net 7

Program.cs

using Microsoft.AspNetCore.Mvc;

var builder = WebApplication.CreateBuilder(args);
var app = builder.Build();

app.MapPost("/get", ([FromBody] InputModel input) => new OutputModel
    {
        FirstName = input.FirstName + "x",
        LastName = input.LastName + "x",
        Age = input.Age + 10
    }
);

app.Run();

internal sealed class InputModel
{
    public string FirstName { get; set; }
    public string LastName { get; set; }
    public int Age { get; set; }
}

internal sealed class OutputModel
{
    public string FirstName { get; set; }
    public string LastName { get; set; }
    public int Age { get; set; }
}

K6.io config.json

import http from 'k6/http';

export default function () {

  const url = 'http://localhost:8080/get';

  const payload = JSON.stringify({
    FirstName: 'John',
    LastName: 'Doe',
    Age: 33
  });

  const params = {
    headers: {
      'Content-Type': 'application/json',
    },
  };

  http.post(url, payload, params);
}

Testing first with CURL for response validity:
Java 18 SpringBoot

$ curl -X POST http://localhost:8080/get -H "content-type: application/json" -d "{\"FirstName\":\"John\",\"LastName\":\"Doe\",\"Age\":33}"

{"firstName":"Johnx","lastName":"Doex","age":43}%

Asp.Net 7

$ curl -X POST http://localhost:8080/get -H "content-type: application/json" -d "{\"FirstName\":\"John\",\"LastName\":\"Doe\",\"Age\":33}"

{"firstName":"Johnx","lastName":"Doex","age":43}%

It seems Kestrel server with .Net 7 does a pretty decent job handling simple APIs compared to default Tomcat Server with Java 18 based SpringBoot application.

Maybe someone can consider using this when deciding to implement simple REST API since the bare language is very similar until you decide to use some ORM framework or logging.

Wait for injectable service init() in Angular

Slavius — Thu, 06 Aug 2020 14:12:55 +0000

Hey Angularists,

I'm learning Angular and I still cannot figure out one important thing to do properly.

What I'm trying to achieve is to create global @Injectable Service that has some initialization function that needs to finish before the Service should be used.

Right now the Service does its initialization in the constructor, as AFAIK services do not use ngOnInit() functions. Let's say the initialization calculates some random prime number which takes about 200ms to finish.

Unfortunately when the Service is injected into a Component and a public function of the Service that's supposed to return this prime number is being called in the onInit() of the Component the returned value is always undefined as the constructor of that Service did not finish yet at that time.

Of course if there would be some async function to call (e.g. an HttpClient) I would return a Promise or Observable and subscribe to it in the Component. However the constructor does not call any of it.

I also tried EventEmitter and emit true at the end of the constructor work when the initialization is done while subscribing to it in the Component OnInit function. This however does not work for me for some reason and it never receives the emitted event.

I come from C# and I simply find it amusing that DI can provide you with an uninitialized object. ;)

I found possible solution with APP_INITIALIZER and ProviderFactory but I find it too complex so I wanted to know about other options.

Any advice and help on how this should be properly handled in Angular is welcome. Thanks in advance!

Edit: I figured out that when I hide the property behind a function call getPrime() { return this.prime; } it works. However it's still a mystery to me how a non-static property can be read before the constructor has finished...

Fixing issues running Folding@Home on Gentoo/Sabayon Linux

Slavius — Fri, 10 Apr 2020 15:52:03 +0000

The problem

Directly after installing Folding@Home (FaH from now on) on recent version of Sabayon Linux (based on Gentoo Linux) there are issues with OpenSSL libraries linked. One of the dependent packages installed is openssl-compat which however is also too recent for ancient FaH client released in 2018.

Source of the problems

Examining the original dependencies of FaH client is OpenSSL 1.0.1 while openssl-compat package includes version 1.0.2u which results in unrecoverable errors during FaH application runtime due to ABI changes.

The solution

Solution is to install older OpenSSL libopenssl.so and libcrypto.so libraries. To avoid collisions with openssl-compat package, which can now be safely uninstalled (if you validate no other packages depend on it) by:sudo equo rm --ask --nodeps openssl-compat
I opted to download OpenSSL 1.0.1 from GitHub repository, compile the shared libraries and install them inplace.

This can be easily achieved by:

#clone GitHub repo
git clone https://github.com/openssl/openssl.git 
cd openssl 
# switch to 1.0.1 branch
git checkout OpenSSL_1_0_1-stable 
# configure with the same Sabayon system wide CFLAGS
CFLAG="-O2 -march=x86-64 -pipe -fno-strict-aliasing -Wa,--noexecstack" ./Configure linux-x86_64 shared 
# make libs only - libssl.so and libcrypto.so
make build_libs 
# remove now invalid symlinks in FaH client folder
sudo rm –f /opt/foldingathome/libcrypto.so.10 /opt/foldingathome/libssl.so.10 
# copy new libraries over
sudo cp ./libcrypto.so.1.0.0 /opt/foldingathome/libcrypto.so.10 
sudo cp ./libssl.so.1.0.0 /opt/foldingathome/libssl.so.10

Now running FaH client works correctly.

Happy folding against COVID-19! Stay safe!

Brent Ozar offering free MSSQL courses

Slavius — Mon, 16 Mar 2020 23:50:57 +0000

[https://mailchi.mp/brentozar/free-sql-server-training-during-the-quarantines?e=207f9bb421]
Free training during the quarantine, even in the EU.

Well, that escalated quickly, huh? Two months ago, I didn't know what a coronavirus was. Since then, it's gone through more name changes than the Microsoft certification program (well, maybe not that many) and we're canceling all our travel plans, restaurant reservations, and wondering why people think toilet paper gives them immunity.

Every business seems to be emailing me their COVID-19 action plan, so I figure I should give y'all one, too. Here's my action plan: give away training to give you something to do.

Fundamentals of Index Tuning:
This class assumes you've already been through my How to Think Like the Engine class, which has always been free. After conquering that one:
Indexing for the WHERE Clause
Indexing for ORDER BY
Indexing for JOINs
Clippy's Index Recommendations
Recap and Next Steps
After finishing that one, you're ready for:

Fundamentals of Query Tuning:
Went live today: Building a Query Plan
Goes live Tuesday: How to Find the Right Queries to Tune
Weds: How Parameters Influence Cached Plans
Thurs: Improving Cardinality Estimation Accuracy
Fri: Common T-SQL Anti-Patterns
Those videos will go away April 1, and if countries are still quarantined, I'll give away more fundamentals classes to keep amping up your skills. We're all in this together.

Stay safe and be well.
Brent

The curious case of insecure HTTPS certificates

Slavius — Fri, 09 Aug 2019 16:53:41 +0000

This article is a first in series of explanations to all claims done by our former colleague that claimed he found numerous security and performance issues in our project shortly after joining our team.
You can find the preface here.

Lets have a look at the first claim:

I guess that we transfer data from GUI to the API server probably with HTTPS , but this is not enough. Because a person can easily get a SSL certificate with DNS spoofing and listen to the packages. So the first thing is , We are sending our password for login or any other transaction as a plain text and then we will only encrypt it on DB. We must also encrypt the passwords on the client-side with another salt or another type of encryption when we want to send a request like LOGIN function. (recommend different salt for different customers)

First question that should come to our minds is; why would everyone including huge international companies like Microsoft, Google, Mozilla and Intel invest so much time and money into developing support for HTTPS and SSL/TLS into basically all web browsers, improving SSL/TLS protocols with enhancements, bug and performance fixes, forming certification authorities and creating selling points of certificates for companies and individuals when based on this description it seems to be totally trivial to overcome the whole protection of SSL/TLS and certificate based security???
How would you justify in your company buying a $199 EV SSL certificate for just one site for one year if this would be true?

Let's first start with how SSL certificates are obtained. Most certification authorities (from now on called CAs) require you to prove your personal identity to get basic certificates. This can be accomplished e.g. by validating and assigning your e-mail address to your CA account. For so called EV (Extended validation) certificates - that give you this well known "green lock" in the browser's URL bar, you need to undergo a more strict procedure in addition to the personal verification by e.g. faxing/photocopying a company certificate, address and/or validating your relationship by making a phone call from a phone-number associated with your company in public registry, or receiving a validation code using postal service delivered to your company postal address. This guarantees that nobody else without access to your e-mail, private company post box, office or phone device can validate him/her-self as company representative to gain EV validation for your company at the CA.

Now that you have validated your person or company you need to actually prove you own the domain you'd like to get certificate for. Of course e.g. google.com domain is no more owned by Google company (it's now called Alphabet) so when you are validated as a company you are eligible to request any domain certificate not only one that matches your company name.
For this purpose you have to alter the public DNS records or your HTTP server settings to return expected response to your CA request. E.g. you may be asked by your CA to set up a special DNS record with name d24ecd160f4443b5ba55374b15516fc3.yourdomain.com that points to their server or return specific TXT response; or that by visiting URL http://yourdomain.com/d24ecd160f4443b5ba55374b15516fc3.txt you present a content from a text file delivered to your previously validated e-mail address by the CA.
This way only person that has access to the DNS management of your domain and a web server that your DNS records points to, is able to successfully validate certificate request by the CA.

As you can see without extensive social engineering, wiretapping, breaking into someone offices or post box at the right time, hacking your DNS provider and server hosting it is quite hard to request a certificate to arbitrary domain name on someones behalf.

Let's be honest and say that in the past, there were some incidents where due to human errors and heavy social engineering some less known, smaller CAs erroneously issued certificates for different company domains like Google. This can happen but it was soon discovered and corrected. In this case certificates must be invalidated (revoked) and new ones for affected sites re-issued. For this purpose each CA exposes so called Certificate Revocation List (CRL). These lists are checked by your browser by each time an access to certificate protected site is made, to disallow access to sites that are compromised and served with certificate already revoked by the CA.

So now when we've explained how it is hard (not impossible) to fake a certificate let's explore options how this actually can be done without any user even noticing!

And here everything boils down to trust. The easiest way to convince someone he's accessing a perfectly valid and secure certificate protected site is by lying to him. What does that mean you ask?
The whole sense of safety is a result of you relying on your browser to tell you if the site you are visiting is fine or there's something fishy going on by looking at the browser error displayed when you visit misconfigured or fake site.
Rule number one: Use only web browser downloaded from verified source
Never ever download a web browser from untrusted sources (download sites, warez sites, custom browser builds on GitHub, etc.). It may be tempting to have an "Un-Googled Chromium" - perfect browser based on Chromium with Google spyware removed (TM). The only source of these browser builds are random people on the internet. You may get a browser that was built from official GitHub repo with Google stuff removed but sneakily one CA certificate added that is under control of an attacker. Results may be disastrous. By having an attacker controlled CA certificate bundled into your browser one can, in addition to DNS spoofing redirect you to an attacker controlled server hosting an exact copy of Gmail login page. Just type in the credentials and they will be sent to the attacker's server without you even noticing!
Some browsers do not come with CA certificates bundled and instead rely on the operating system CA certificate store. There is also a risk associated with it because the code in the source code of this untrusted browser download may have been modified to use internal CA certificate bundled in it.
In case of browsers like Internet Explorer running on Windows without antivirus combined with untrusted applications from unverified sources can result in system infection that imports own CA certificates into Windows/Linux CA store. All browsers using these store would then be compromised even if the browser itself comes from verified vendor's site.
Rule number two: Run antivirus combined with software from trusted sources
Do your job and verify downloaded file's hash with the one the vendor provides. Most of them do now!
An alternative would be to run regular browser in a sandbox or Virtual Machine and only use trusted browser on your main operating system to access important sites (banking, mails, company portals, social media, etc.)

Some attacks are also possible on insecure networks, especially public WiFi. Here the claim about DNS spoofing comes to effect. Although without compromising your operating system and/or web browser it's hard to fake certificates, what can actually happen is that your request to gmail.com will be handled by the DNS server under attacker's control and you will be redirected to similarly looking gmial.com domain with valid certificate. It is common to do this kind of tricks as user's don't usually check what they typed in after the page they receive looks what they expect it usually does. Similar typo-based domains are registered and pretend to be their original counterparts so always beware on untrusted networks. Use your own DNS settings paired with DNSSEC or DNS over HTTPS or use VPN to browse the internet. Or if you have such option, do not connect to unknown networks and use cellular network instead.
Rule number three: Never trust unknown networks and use VPN if you need to

Hope you enjoyed this post and thank you for reading!

In the next part we can have a look at why may accessing even self-signed certificate sites be secure in some cases and what it means to establish an SSL/TLS session with remote host.

Your code has lots of security and performance issues, he said...

Slavius — Fri, 09 Aug 2019 15:46:18 +0000

Introduction

Recently we hired an external freelancer to our team to help with a backend server project done in .Net Core and PostgreSQL database server. Our solution consists of many projects including an MQTT protocol based server, a threaded TCP server, a calculation/processing engine and a public rest API.

After just two weeks this person suddenly changed his attitude and said he's too unhappy with the security and performance issues in the project so that he has already decided to leave. In person, we never managed to get from him a list of issues he was referring to. We unfortunately had to threaten him not paying for his works unless he provides some evidence to his claims. We were too afraid that our project suffers from some overlooked problems we missed and if he has the expertise and experience to advice us we simply wanted to know.

After few days an e-mail arrived thanking us for cooperation and a brief list of what the person found so unacceptably bothering about the security and performance in our project. Here's an unedited excerpt from the e-mail:

First of all, you shouldn’t be worry about the security. I just told you generally.
But I strongly recommend you to follow these changes on the code and DB to have a better quality. (this is just a help)

I guess that we transfer data from GUI to the API server probably with HTTPS , but this is not enough. Because a person can easily get a SSL certificate with DNS spoofing and listen to the packages. So the first thing is , We are sending our password for login or any other transaction as a plain text and then we will only encrypt it on DB. We must also encrypt the passwords on the client-side with another salt or another type of encryption when we want to send a request like LOGIN function. (recommend different salt for different customers)

3 char password for users are really short. Because with authentication attempts attacks , a person can find a password after a short while , at least 7 or 8 chars recommended

And also we should prevent authentication attempts, for example after 10 time attempt of one user, we block that user.

There is something also that maybe is not very important, but just for you to know, there is something called Man-in-middle Attack or spoofing , for preventing any issue in this case, it’s better to validate any request to server. For example in project/Add we just check if the body.Device is not null then we do our process , But imagine that if body.Device is really not null, and the data on the package was not a correct data. This type of data can harm the DB data or add some invalid values. For this item , because you normally know your customers, it’s not an important issue. But it’s still important.

In Database I found many non-indexes fields like Group in Table ProjectDevices. (can be better in performance)

About the tokens in API header I recommend you to Encrypt it while sending.

And also because of better security I recommend to have a node to node client certificate (x509. Certificate authentication)

I have decided to personally go through the list and examine, investigate and eventually fix the problems in each point. After reading it through though - I realized this person just lacks the knowledge and the threats he describes are not real.

I decided to write a detailed explanation to each point in individual articles so you may find some of these useful when working on your project that you understand the topics and you're not missing anything regarding security and performance.

Stay tuned.

Explaining Load Balancers

Slavius — Wed, 22 Aug 2018 20:03:26 +0000

Preface

This originally came as comment on #explainlikeimfive - Explain Load Balancers Like I'm Five but I decided to convert it to a little explaining article.

Load balancers are all about scaling

Generally speaking, there are 2 types of scaling:

Vertical - you keep adding resources to your single system until you run out of space - e.g. until you have no more free memory slots to expand your RAM or SATA/SAS ports to connect another hard drive. This is similar to piling up resources in one isolated place - it all grows to the roof vertically.
Horizontal - you keep adding more small autonomous systems, each having it's own portion of resources that in sum give you the power and performance you need. You can do this as long as you have physical space (and enough electricity for reliable operation) which is very efficient in regards of future growth. Think of a big shelf where you put new server next to the last one when you run out of resources - it grows horizontally.

Load Balancers come in play when you scale horizontally

The individual systems deployed behind load balancer are called nodes.

Generally you put load balancer in front of these nodes to handle the management work. The load balancer decides how to spread the load across all nodes and how it supports the nodes and tries to offload as many tasks from them as possible.

Features of the load balancer

We can sum up as:

balancing the load across available nodes - obviously
keeping information about health of all nodes to prevent routing requests to dead nodes. This is done by implementing regular health checks - usually HTTP probes to specially crafted API that responds with the internal state of the application. This allows e.g. for an awesome way to do maintenance - because you can mark nodes as inactive (while doing the maintenance and/or reboots) and the web application still works by serving requests from other active nodes. The same way you can slowly replace all nodes by swapping one-by-one for more powerfull ones without any downtime!
keeping information about the load on each node (CPU load, RAM usage, number of active connections, number of connections/second to each node) to prevent further overloading already heavily used nodes
keeps track of sessions (based on source IP address+port or HTTP cookie) to route the same client always to the same node (necessary if the remaining nodes are not session aware - imagine you log into an application which produces cookie for your authenticated session. Then your next request would be redirected to a different node (which load balancer decides e.g. is less loaded) that has no idea you were already authenticated because it has no cookie - you would end up redirected back to the login screen, possibly ending in a loop.
offloading - load balancer can take over responsibility of compressing resources and sending them to end clients leaving more CPU power for application code on nodes. The same way it can terminate and negotiate HTTPS sessions, which is also expensive because of SSL/TLS cryptography happening for each client. Similarly, load balancer can also cache frequently used resources in memory or on a fast storage to prevent retrieving them from nodes all the time so your nodes does not have to account for more memory and fast SSDs.

Additional things you can do with load balancers

Splitting load based on routing (parts of an URL) - you can decide to dedicate 4 nodes for /rest/api context, 2 nodes for /[css|js|img] and the rest for application code.

TL;DR

Load balancers [can] make your service more reliable, easily scalable, more performant and resilient to outages.

So you're into RFCs?

Slavius — Mon, 20 Aug 2018 10:35:54 +0000

Full RFC

Hyper Text Coffee Pot Control Protocol (HTCPCP/1.0)

Excerpt

1. Rationale and Scope

There is coffee all over the world. Increasingly, in a world in which
computing is ubiquitous, the computists want to make coffee. Coffee
brewing is an art, but the distributed intelligence of the web-
connected world transcends art. Thus, there is a strong, dark, rich
requirement for a protocol designed espressoly for the brewing of
coffee. Coffee is brewed using coffee pots. Networked coffee pots
require a control protocol if they are to be controlled.

Increasingly, home and consumer devices are being connected to the
Internet. Early networking experiments demonstrated vending devices
connected to the Internet for status monitoring [COKE]. One of the
first remotely operated machine to be hooked up to the Internet,
the Internet Toaster, (controlled via SNMP) was debuted in 1990
[RFC2235].

The demand for ubiquitous appliance connectivity that is causing the
consumption of the IPv4 address space. Consumers want remote control
of devices such as coffee pots so that they may wake up to freshly
brewed coffee, or cause coffee to be prepared at a precise time after
the completion of dinner preparations.

This document specifies a Hyper Text Coffee Pot Control Protocol
(HTCPCP), which permits the full request and responses necessary to
control all devices capable of making the popular caffeinated hot
beverages.

HTTP 1.1 ([RFC2068]) permits the transfer of web objects from origin
servers to clients. The web is world-wide. HTCPCP is based on HTTP.
This is because HTTP is everywhere. It could not be so pervasive
without being good. Therefore, HTTP is good. If you want good coffee,
HTCPCP needs to be good. To make HTCPCP good, it is good to base
HTCPCP on HTTP.

2. HTCPCP Protocol

The HTCPCP protocol is built on top of HTTP, with the addition of a
few new methods, header fields and return codes. All HTCPCP servers
should be referred to with the "coffee:" URI scheme (Section 4).

Coffee pots heat water using electronic mechanisms, so there is no
fire. Thus, no firewalls are necessary, and firewall control policy
is irrelevant. However, POST may be a trademark for coffee, and so
the BREW method has been added. The BREW method may be used with
other HTTP-based protocols (e.g., the Hyper Text Brewery Control
Protocol).

2.2.2 New header fields

2.2.2.1 The Accept-Additions header field

In HTTP, the "Accept" request-header field is used to specify media
types which are acceptable for the response. However, in HTCPCP, the
response may result in additional actions on the part of the
automated pot. For this reason, HTCPCP adds a new header field,
"Accept-Additions":

   Accept-Additions = "Accept-Additions" ":"
                      #( addition-range [ accept-params ] )

    addition-type   = ( "*"
                      | milk-type
                      | syrup-type
                      | sweetener-type
                      | spice-type
                      | alcohol-type
                      ) *( ";" parameter )
    milk-type       = ( "Cream" | "Half-and-half" | "Whole-milk"
                      | "Part-Skim" | "Skim" | "Non-Dairy" )
    syrup-type      = ( "Vanilla" | "Almond" | "Raspberry"
                      | "Chocolate" )
    alcohol-type    = ( "Whisky" | "Rum" | "Kahlua" | "Aquavit" )

2.2.3 Omitted Header Fields

No options were given for decaffeinated coffee. What's the point?

2.3.2 418 I'm a teapot

Any attempt to brew coffee with a teapot should result in the error
code "418 I'm a teapot". The resulting entity body MAY be short and
stout.

3. The "coffee" URI scheme

Because coffee is international, there are international coffee URI
schemes. All coffee URL schemes are written with URL encoding of the
UTF-8 encoding of the characters that spell the word for "coffee" in
any of 29 languages, following the conventions for
internationalization in URIs [URLI18N].

coffee-url = coffee-scheme ":" [ "//" host ]
["/" pot-designator ] ["?" additions-list ]

pot-designator = "pot-" integer ; for machines with multiple pots
additions-list = #( addition )

5.2 Crossing firewalls

In most organizations HTTP traffic crosses firewalls fairly easily.
Modern coffee pots do not use fire. However, a "firewall" is useful
for protection of any source from any manner of heat, and not just
fire. Every home computer network SHOULD be protected by a firewall
from sources of heat. However, remote control of coffee pots is
important from outside the home. Thus, it is important that HTCPCP
cross firewalls easily.

By basing HTCPCP on HTTP and using port 80, it will get all of HTTP's
firewall-crossing virtues. Of course, the home firewalls will require
reconfiguration or new versions in order to accommodate HTCPCP-
specific methods, headers and trailers, but such upgrades will be
easily accommodated. Most home network system administrators drink
coffee, and are willing to accommodate the needs of tunnelling
HTCPCP.

7. Security Considerations

Anyone who gets in between me and my morning coffee should be
insecure.

Unmoderated access to unprotected coffee pots from Internet users
might lead to several kinds of "denial of coffee service" attacks.
The improper use of filtration devices might admit trojan grounds.
Filtration is not a good virus protection method.

Tell me a good IT joke

Slavius — Wed, 15 Aug 2018 15:53:35 +0000

Tell me a good joke you know with coding / devops / infra / testing / support related twist. ;)

Give ligatures a chance

Slavius — Tue, 14 Aug 2018 13:06:12 +0000

What are ligatures anyway?

Do you find yourself constantly changing and tweaking your development editor by changing color schemes, font size, line size or tab size to improve your coding exprience?
Do you find yourself staring at a piece of code for too long just to realize you're looking at a simple lambda function with a piece of math?

Well then, you probably lack ligatures and you don't even know it! Ligatures is a font feature, that allows you to display multiple consecutive characters as one custom glyph!
If you've ever used Microsoft Word, it's substitution rules are very close to what ligatures are; with a difference, that Word really replaces the text with a substitution so original text is gone. In contrast, ligatures look like one character only when:

you use font with ligatures
you use editor that supports ligatures
you have ligatures enabled

If you don't have one of these your code will look as usual; without any improvements.

What can it do for me?

Ligatures generally improve readability by making special character combinations distict and as well, making your code shorter by reducing the width of your code by displaying one shorter glyph instead of 2 or sometimes 3 regular width ones.

Let's look at an example:

The funny thing is that within an editor a ligature acts as a single glyph so you can cop and paste it as a single character. In the underlying file it will, however, take space as multiple characters depending on ligature code.

So let's have a look at some sample code with ligatures:

Notice especially:

the for loop -->
== comparison
</ html tags

Very easy on the eyes enhanced by easily identifiable logic operators and markup formatting.

Where can I get it?

There are multiple fonts that support ligatures.

My favorite free one is Fira Code.

There are other alternatives as:

Hasklig (free)
Monoid (free)
Fixedsys Excelsior (free)
Iosevka (free)
DejaVu Sans Code (free)
PragmataPro (paid)

But hey, you mentioned editor support! And you're right, ligatures do not work everywhere! So here's some overview.
Working in:

VS Code (including VS Exploration)
Microsoft Visual Studio 2015+ (including Community edition) - currently a bug in WPF prevents ligatures with minus/dash sign (like -->) to be converted
JetBrains editors (CLion, Intellij, PHPStorm, WebStorm, PyCharm, Rider, ...)
Notepad++ (workaround needed)
Sublime Text
Xamarin Studio
XCode
gEdit
Atom based editors (1.1+)
Android Studio

For complete support have a look at the list of working and non-working editors and as well as terminals!